The “overriding interest” exception under GDPR: Shifting the focus to businesses?

It is a well-established principle in the EU that personal data should be processed for specified purposes.  It should not be further processed in a way incompatible with the purposes for which it was originally collected (subject to consent and strict exceptions).   This concept is enshrined in the Charter of Fundamental Rights and plays a large part in what is considered as ‘fair’ when processing the personal data of individuals.  

It comes as no surprise that the Article 29 Working Party ('WP 29') has raised serious concerns particularly in the context of Big Data over the approach adopted by the Justice and Home Affairs Council ('Council') with respect to “further processing” under Chapter II of the draft General Data Protection Regulation ('GDPR').  At issue is the following wording of Article 6(4) GDPR as adopted by the Council:

“Further processing by the same controller for incompatible purposes on grounds of legitimate interests of that controller or a third party shall be lawful if these interests override the interests of the data subject.”

WP 29 stated that, according to the Council, it will be possible for data controllers to further process personal data even if the purpose is incompatible with the original one. The only requirement is for data controllers to establish an overriding interest in the further processing; one that overrides the interests of the data subjects concerned (the 'Overriding Interest Exception').

The use of the Overriding Interest Exception would shift the focus away from individuals to businesses. Under the current legal framework the starting point for businesses is to generally consider the data subject first: is the further processing in line with the data subject’s expectations and has consent been adequately obtained? The Council's approach would modify this starting point by allowing businesses to assess their position first by determining whether they have any overriding interest in the further processing.

The discussion naturally leads onto how you define ‘overriding interest’ and the inherent ambiguity of the term, much like the concept of ‘legitimate interest’ whereby WP 29 felt the need to publish its 06/2014 opinion to provide clarity. If the GDPR is adopted with the Council’s approach, expect a similar opinion from WP 29, guidance from local regulators or interpretation from the courts – but that is for another day and in any event, the Overriding Interest Exception will have the effect of shifting the focus away from individuals to businesses.

It is this shift that may provide insight as to why WP 29 has serious concerns in the context of Big Data. In our recently published Enforcement Tracker 2014, we have predicted that in a few years’ time there will be a much stronger enforcement environment for all activities connected with the ‘monetisation of the customer’.  Big data analytics plays a big role in this monetisation and makes it possible for businesses to assimilate large volumes of personal data (often by further processing personal data originally collected for a different purpose) to facilitate activities such as behavioral advertising.

As such, WP 29 may feel that providing businesses with an option to justify further processing by using the Overriding Interest Exception not only goes against some of the fundamental principles of EU data protection law but may also lead to unfair exploitation of individuals’ personal data, particularly in an era where Big Data analytics is on the rise. However, as it stands from the Council’s approach, businesses have the upper hand but expect further revisions to be made on this point before the final text of the GDPR is approved.